CN100539504C - A kind of network address translation and/or firewall spanning platform, system and method thereof - Google Patents

A kind of network address translation and/or firewall spanning platform, system and method thereof Download PDF

Info

Publication number
CN100539504C
CN100539504C CNB2006100579325A CN200610057932A CN100539504C CN 100539504 C CN100539504 C CN 100539504C CN B2006100579325 A CNB2006100579325 A CN B2006100579325A CN 200610057932 A CN200610057932 A CN 200610057932A CN 100539504 C CN100539504 C CN 100539504C
Authority
CN
China
Prior art keywords
server
pass
passing
user
address
Prior art date
Application number
CNB2006100579325A
Other languages
Chinese (zh)
Other versions
CN101030865A (en
Inventor
俞小良
王松
龚文国
杨安国
张绍鹏
Original Assignee
诺基亚西门子通信系统技术(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 诺基亚西门子通信系统技术(北京)有限公司 filed Critical 诺基亚西门子通信系统技术(北京)有限公司
Priority to CNB2006100579325A priority Critical patent/CN100539504C/en
Publication of CN101030865A publication Critical patent/CN101030865A/en
Application granted granted Critical
Publication of CN100539504C publication Critical patent/CN100539504C/en

Links

Abstract

The present invention relates to a kind of network address translation and/or Firewall Traversing system and method thereof, in order to solve the crossing problem of NAT and/or fire compartment wall, one spanning platform is provided, to use any platform to pass through server according to user side network environment decision traversing method and according to the state decision of passing through server, reached indiscriminate passing through NAT and/or fire compartment wall for user side, and made the best performance that passes through.

Description

A kind of network address translation and/or firewall spanning platform, system and method thereof

Technical field

The present invention relates to network communicating system and method, particularly a kind of network address translation and/or firewall spanning platform, system and method thereof.

Background technology

Along with computer is acquired by increasing family and small business, they can find that network is a kind of very powerful computer resource sharing instrument.It then is resource more precious on the network that Internet connects.Utilize low price, the simple family of management or minimized office network simultaneously for share I nternet connects, need to dispose the Internet gateway.The Internet gateway usually with network address translation (NAT:Network Address Translation) as a plurality of main frames of Intranet being connected to Internet to share the approach of single public ip address.

A large amount of enterprise network and residence network have all adopted network address translation/fire compartment wall (NAT/FW) the access public network of private IP address by outlet basically.Fire compartment wall is used for that the restricting data bag is unconfined to be entered in the network.Generally be to set some packet filtering principles, fire compartment wall comes the judgment data bag whether to meet the filtration principle by raw address, destination address, former port, target port and the agreement of checking packet, and what meet just can pass through fire compartment wall.Usually the server that some is needed extraneous visit during practical application is placed in this zone as Web server etc., and fire compartment wall is mixed with all data that mail to the corresponding port of these servers can be passed through.

NAT is used to make the interior main frame of many private networks by less public network address visit public network, can hide private network IP simultaneously, protect the interior main frame of private network not to be subjected to outside world.Its principle is when main frame in the private network need be visited public network, public network address by a free time of NAT server dynamic assignment is given this main frame, when this main frame no longer needs to visit public network (when for example this main frame is for a long time not to the public network transmission or from public network reception message), the NAT server will reclaim the public network address that has distributed.

" NAT passes through " is such one group of function: it allows the clear and definite back that is positioned at NAT device of web application energy itself, obtain outside ip address, and port mapping is configured to the packet of NAT outside port is transmitted to the used internal port of application program, and all these is finished automatically, so the user needn't manual configuration port mapping or other similar aspects.

Although " NAT passes through " can solve various problems relevant when connecting by NAT device, also have " NAT passes through " insurmountable problem, and this solution but can be destroyed the multiple network application program.For example multi-player gaming, real-time communication and other equity service.If use the specific address or use same port numbers simultaneously on public Internet, these application programs will be ended.Application program must be used public address, and each session all must be used unique port numbers.Large corporation has special IT personnel to guarantee the normally use on NAT of its company's application program, but less mechanism and consumer do not possess the condition of such luxury.

Many internet applications provider begins to be conceived to some collision problems of crossing technology.Developed solving existing NAT/FW and pass through the technology and method of conflict, for example simple UDP passing through NAT (STUP:Simple Traversal of UDPthrough NAT), relaying NAT realizes penetrates (TURN:Traversal Using Relay NAT); (ICE:Interactive Connectivity Establishment) set up in interactive connection; NAT application level gateway (ALG:applicationlayer gateway); MIDCOM (Middlebox Communications Protocol); UPnP (UPnP:Universal Plug and Play); Acting server (FULL PROXY) and HTTP channel technology such as (HTTP Tunnel) can solve a part of problem that NAT/FW passes through, but but have no idea to address these problems fully.

The deficiency of STUN and TURN technology is, needs to use the agency of STUN or TURN to obtain public network IP address before beginning to communicate by letter, and the ATT of structure NAT device changes private IP address into public network IP address in ensuing packet.STUN can not pass through in symmetrical NAT, and TURN can support passing through of all types NAT, but they all can not support passing fire wall.

ICE is a kind of standardized means, what make that conversation initialized protocol (SIP:Session Initiation Protocol) the client client of other Multimedia session agreements (or based on) can determine to exist between the client is the NAT fire compartment wall of any type, and determines a succession of IP address of connecting of can being used to realize.By using various protocols and network connection mechanism, as penetrating of realizing of STUN, relaying NAT (Traversal Using Relay NAT, TURN) and special domain IP (RealmSpecific IP, RSIP).But it but can not pass through the limited fire compartment wall of User Datagram Protoco (UDP) (UDP).

The ALG technology not only will be revised the head of IP packet, also must rewrite the routing iinformation that relates in each bar SIP signaling.When the communication flows of network is big, form network bottleneck easily, destroy the transparency of network end-to-end, have certain limitation in the use.In addition, for the user, must change or upgrade their router or fire compartment wall, and along with the development and the expansion of related protocol, equipment also must and then be upgraded.

MidCom technology, basic framework are to adopt believable third party (MIDCOM Agent) that Middlebox (NAT/FW) is controlled.Because the function of identification application protocol moves on on the outside MIDCOM Agent from Middlebox, structure according to MIDCOM, do not needing to change on the basis of Middlebox fundamental characteristics, just can support more new business by the upgrading to MIDCOM Agent, this is a very big advantage of relative NAT/ALG mode.The Middlebox function can reside in NAT/Firewall,, finishes VOIP and uses passing through NAT/Firewall to the identification of H323, SIP, MGCP/H248 protocol data bag with to the control of NAT/Firewall by Softswitch (being MIDCOM Agent).But prior NAT/FW equipment must be upgraded, and to make it to support MidCom interface and third party, this shortcoming is just as ALG.

The position class of acting server (Full Proxy) is similar to gateway, all is positioned at network edge.It has possessed private IP address and public network IP address.Acting server is divided into two parts with VoIP in VoIP uses, one is that terminal is to acting server internally, and another is (may be soft switch or terminal) from acting server to another terminal.It has its advantage, but needs to change network design, and reduces network safety grade.

UpnP is the structure that the common point to point network of a kind of intelligent terminal connects, and comprises wireless device, PC and various forms of device.It is designed to easy to use, particularly the standard in the network environment under unattended operation (comprising tame medium and small company, public place or the Internet).The user can dispose equipment extra in the network.But, need to revise applications client with support UPnP function, and NAT/FW also to support the UPnP function.

Use the HTTP channel to pass through, before application program is carried out transfer of data, set up the HTTP channel.And all signal packet and packet are transmitted by this HTTP channel.Before the HTTP channel is set up, need to carry out the authentication of HTTP or automatically perform configuration script.Like this, can guarantee that the IP application program in the worst environment is passed through various types of fire compartment walls and NAT, and need not revise any network security device.But, owing to use the Transmission Control Protocol transmitting real-time data, and can cause 3 times route, make the service quality (QoS:Quality of Service) of application program be lowered like this.The HTTP channel just is used to pass through and is limited UDP and HTTP authenticating firewall, so this is the last method of using in passing through.

Above most of solutions all need to upgrade existing equipment, can not pass through all types of fire compartment walls, and can not support administrative mechanism and optimization function, so all be difficult to configuration.

Summary of the invention

The object of the present invention is to provide a kind of network address translation and/or Firewall Traversing method, oversimplify web application, do not needing to support to make web application pass through various NAT/FW under the prerequisite of any additional protocol.

The object of the invention also is to provide a kind of network address translation and/or firewall spanning platform, effectively passes through all types of NAT/FW under the safe prerequisite not losing, and provides administrative mechanism reducing the network access path, and the balancing network load.

The present invention also aims to provide a kind of network address translation and/or Firewall Traversing system, effectively pass through all types of NAT/FW under the safe prerequisite not losing, and provide administrative mechanism reducing the network access path, and the balancing network load.

The traversing method of a kind of network address translation and/or fire compartment wall comprises the steps:

Step 1, user side sends to spanning platform with the user side network environment information by network address translation apparatus and/or fire compartment wall by passing through the agency;

Step 2, described spanning platform is according to this user side network environment information and pass through policy information, determines the mode of passing through and will pass through mode information to return to described user side;

Step 3, described user side passes through mode accordingly by passing through agency's use, makes described user side and corresponding application server communication.

Described step 2 comprises:

Pass through the scheduling step, the network environment information of described user side that will be by passing through the agency is as passing through the input of strategy step, and the result that will pass through strategy step passes to described user side by passing through the agency;

Pass through strategy step, according to the network environment information of described user side with pass through policy information and determine the mode of passing through, and this mode of passing through is delivered a letter breath as described input of passing through the scheduling step.

Also comprise and pass through the load balance step, gather and to pass through the information of server and as described input of passing through strategy step;

When determining to pass through mode, use if desired and pass through server, then gather the pass through server of information that passes through server, and this information and the described mode information of passing through are together passed through the input of dispatching step as described to determine to use.

The described strategy step of passing through is according to the user side network environment information, passes through server info and passes through policy information, passes through server to determine traversing method and one, and with above-mentioned result as described input of passing through the scheduling step.

The described strategy step of passing through is according to the user side network environment information, pass through server info and pass through policy information, to determine that traversing method and two pass through server, one of them passes through the packet that server is used to transmit carrier signaling, another passes through the packet that server is used to transmit the carrying data, and with above-mentioned result as described input of passing through the scheduling step.

Also comprise operator's management process,, and formulate the described strategy that passes through by the described spanning platform of operator's management control.

Described pass through policy information comprise the designated user end use with its route distance near pass through server, perhaps the working load minimum passes through server.

Also comprise and pass through positioning step, store described strategy, described spanning platform, the described information of passing through server and described apps server of passing through, provide relevant information in the strategy step carrying out described passing through.

If user side has been set up signaling channel and data channel by passing through to act on behalf of and pass through server, and when not having data to transmit, then keeps signaling channel, remove data channel; When user side is nullified, then remove signaling channel and data channel.

Described information of passing through server comprises loading condition that passes through server and the address information of passing through server.

Described user side network environment is meant the type of the network address translation apparatus and/or the fire compartment wall of user side.

A kind of network address translation and/or firewall spanning platform comprise:

Pass through strategic server, be used for passing through policy information and determining the mode of passing through according to described user side network environment information;

Pass through dispatch server, be connected with described user side with passing through to act on behalf of by network address translation apparatus and/or fire compartment wall, the other end is connected with the described strategic server that passes through, be used for sending described user side network environment information to the described strategic server that passes through, and described result of passing through strategic server is passed through the agency and passed to described user side by described.

Described spanning platform also comprises: pass through the load balance server, be connected with the described strategic server that passes through, the other end with pass through server and be connected, be used to gather the information of passing through server and pass to the described strategic server that passes through;

Pass through server, be connected, after described spanning platform decision is passed through server and passed through mode, realize communicating by letter between described user side and the described apps server with the load balance server that passes through in the described spanning platform.

Described spanning platform also comprises: operator's management server, and respectively with the described dispatch server that passes through, pass through strategic server, pass through the load balance server and be connected, be used for the described spanning platform of operator's management control, and formulate and pass through strategy.

Described spanning platform also comprises: one passes through location-server, with describedly pass through strategic server, operator's management server is connected, storage is passed through strategy, spanning platform, is passed through the information of server and apps server, provides relevant information to the described strategic server that passes through.

A kind of network address translation and/or Firewall Traversing system comprise:

User side is communicated by letter with network address translation apparatus and/or fire compartment wall by passing through the agency;

Spanning platform, be connected with described user side with passing through to act on behalf of by network address translation apparatus and/or fire compartment wall, according to the user side network environment, pass through policy information, determine that user side passes through mode accordingly and this is passed through mode information returns to described user side;

Apps server is passed through the agency and is connected with described user side with described by described network address translation apparatus and/or fire compartment wall, provides service to described user side.

Described spanning platform comprises:

Pass through strategic server, be used for passing through policy information and determining the mode of passing through according to described user side network environment information;

Pass through dispatch server, pass through the agency and be connected with described by described network address translation apparatus and/or fire compartment wall with described user side, the other end is connected with the described strategic server that passes through, be used for sending described user side network environment information to the described strategic server that passes through, and described result of passing through strategic server is passed through the agency and passed to described user side by described.

Described spanning platform also comprises and passes through the load balance server, be connected with the described strategic server that passes through, the other end with pass through server and be connected, be used to gather the information of passing through server and pass to the described strategic server that passes through;

Pass through server, be connected, after described spanning platform decision is passed through server and passed through mode, realize communicating by letter between described user side and the described apps server with the load balance server that passes through in the described spanning platform.

Also comprise operator's management server, respectively with the described dispatch server that passes through, pass through strategic server, pass through the load balance server and be connected, be used for the described spanning platform of operator's management control, and formulate and pass through strategy.

Also comprise and pass through location-server, with describedly pass through strategic server, operator's management server is connected, storage is passed through strategy, spanning platform, is passed through the information of server and apps server, provides relevant information to the described strategic server that passes through.

Pass through the agency and be one and independently pass through acting server, be used for acting on behalf of the data of transmitting between described user side and other equipment of network with respect to user side.

Described pass through the agency be one be integrated in user side pass through agency service software, be used for acting on behalf of the data of transmitting between described user side and other equipment of network.

Described spanning platform is a computer.

Beneficial effect of the present invention is, make the user terminal program of local area network (LAN) inside can pass through all types of NAT and/or fire compartment wall, pass through with application software irrelevant, do not need to change existing application software, by selecting the best server that passes through, make NLB, and can obtain best route, application software is connected more fast, particularly better to the communication efficiency of some instant communication softwares.

Description of drawings

Fig. 1 is a system construction drawing of the present invention;

Fig. 2 uses for the inventive method and passes through server TS flow chart;

Fig. 3 A is that the inventive method Session Initiation Protocol data are to asymmetric form NAT with do not forbid the Sip terminal use registration process figure of the Firewall Traversing of udp protocol;

Fig. 3 B is that the inventive method Session Initiation Protocol data are to asymmetric form NAT with do not forbid the Sip terminal use invitation process figure of the Firewall Traversing of udp protocol;

Fig. 3 C be the inventive method Session Initiation Protocol data to asymmetric form NAT and the Sip terminal use of Firewall Traversing who does not forbid udp protocol by invitation process figure;

Fig. 3 D is that the inventive method Session Initiation Protocol data are to asymmetric form NAT with do not forbid the Sip terminal use log off procedure figure of the Firewall Traversing of udp protocol;

Fig. 4 A is that the inventive method Session Initiation Protocol data are to symmetric form NAT and the non-Sip terminal use registration process figure that forbids the Firewall Traversing of udp protocol;

Fig. 4 B is that the inventive method Session Initiation Protocol data are to symmetric form NAT and the non-Sip terminal use invitation process figure that forbids the Firewall Traversing of udp protocol;

Fig. 4 C is the inventive method Session Initiation Protocol data to the Sip terminal use of symmetric form NAT and non-Firewall Traversing of forbidding udp protocol by invitation process figure;

Fig. 4 D is that the inventive method Session Initiation Protocol data are to symmetric form NAT with do not forbid the Sip terminal use log off procedure figure of the Firewall Traversing of udp protocol;

Fig. 5 A is the inventive method Session Initiation Protocol data to symmetric form NAT and forbids the Sip terminal use registration process figure of the Firewall Traversing of udp protocol;

Fig. 5 B is the inventive method Session Initiation Protocol data to symmetric form NAT and forbids the Sip terminal use invitation process figure of the Firewall Traversing of udp protocol;

Fig. 5 C is the inventive method Session Initiation Protocol data to symmetric form NAT and the Sip terminal use of Firewall Traversing that forbids udp protocol by invitation process figure;

Fig. 5 D is the inventive method Session Initiation Protocol data to symmetric form NAT and forbids the Sip terminal use log off procedure figure of the Firewall Traversing of udp protocol.

Embodiment

Below, carry out following detailed description for the present invention in conjunction with the accompanying drawings.

The present invention can be used for the practical application of IPTV (IPTV), VoIP passing through NAT such as (Voice over InternetProtocol) and/or fire compartment wall.

Fig. 1 is a system construction drawing of the present invention.As shown in the figure, the user side application program sends packet (simultaneously to passing through acting server (TA:TraversalAgent), also can acting server be made into hardware or the software module form is integrated in user side with passing through), require to communicate by letter with apps server (AS:Application Server) by fire compartment wall or NAT.TA and user terminal can be able to be placed same computer, also can become the computer (being the computer of a platform independent in this example) of a platform independent.All application data bags relevant for network all pass through TA, can add the TA routed path in the routing table in local area network (LAN).The pass through dispatch server (TDS:Traversal Dispatch Server) of TA in spanning platform OAM transmits network environment information, and this information comprises that TA is after NAT (symmetry or asymmetry NAT device) in what type or the fire compartment wall.Simultaneously, collect the loading condition that passes through server (TS:Traversal Server) that this spanning platform is being managed by the load balance server (TBS:Traversal Balance Server) that passes through among the OAM, with information such as its addresses, and pass through strategic server (TPS:Traversal Policy Server) according to a scheduled time from trend and transmit this information.The strategy of storage TPS in passing through location-server (TLS:Traversal Location Server), the information that needs when the state information of the TS that TBS gathers and application program are passed through.Comprise that is also passed through a management server (TMS:Traversal Management Server), be used for operator's configuration and pass through strategy, distribute the qualified server TS that passes through to TA, for example, there are 5 to pass through server TS in the network, wherein 4 duty ratios of passing through server are bigger, then by operator decision be with route preferentially or with the load balance priority allocation give TA suitable pass through server, if operator decision with route preferentially distribute to TA on route from TA nearest pass through server, though distribute to the server that passes through that still load far away slightly but not really weighs on route of TA if selection is paid the utmost attention to load balance, this can realize according to the configuration of operator; But also can use corresponding application server A S according to type of application that will transmit and the decision of transfer data packets type of service, according to different application different strategies is set; Operator can also allow type of service by this spanning platform by regulation is set, Sip agreement or based on the business of other agreements; Pass through strategic server or the like strategy by the address choice of passing through strategic server.Pass through strategic server TPS and receiving the TA end place network condition of passing through dispatch server TDS transmission, with the load of passing through server TS and the address situation of passing through load balance server TBS collection, pass through mode according to the special strategy of operator's setting or the decision of acquiescence, and return best TS address to TA, so that communicate between TA and the TS.

As preferred embodiment, passing through server TS can be divided into two kinds and pass through server, a kind of is to be specifically designed to the server that the signaling data free clothing is got over, another kind is the server that passes through of the packet that is specifically designed to data content (for example packet RTP of real-time Transmission association), because the consumption of network resources of passing through of signaling is not very big in passing through, and the packet of multi-medium data bag or other data type is very big to the consumption of passing through server, so pass through strategic server TPS can according to the packet that will pass through belong to the signaling data bag still be the packet of multimedia type be assigned to respective type pass through server TS, make the load balance more of passing through server like this.

Figure 2 shows that the inventive method is used passes through server TS flow chart.Step 201 is passed through acting server TA and is transmitted the user side network environment information to passing through dispatch server TDS.Step 202 is passed through load balance server TBS and is gathered the information (comprising routing address information and load state information etc.) of passing through server TS.Step 203 is passed through the information of strategic server TPS according to TDS and TBS, determine to pass through the mode of passing through of acting server TA and to use pass through server TS.Step 204 is passed through strategic server TPS and is transmitted this information by passing through dispatch server TDS to passing through acting server TA.Step 205 is passed through acting server TA and is passed through between the server TS and set up channel, and transmits data.Step 206 is passed through server TS and apps server and is connected, and transmits data.

Exemplify most popular a kind of communication protocol session initiation protocol (SIP:Session Initiation Protocol) below and describe the result who determines the mode of passing through:

Table 1: decision condition and result table

The NAT type The fire compartment wall type Between TA and TS, whether use TCP/HTTP Whether comprise TS Application strategy Asymmetric Do not forbid udp protocol No No Use the stun mode to pass through To old Do not forbid udp protocol No Be Use the turn mode to pass through Asymmetric Forbid udp protocol Be Be Setting up UDP channel mode passes through Symmetry Forbid udp protocol Be Be Set up the TCP/HTTP channel and pass through, and return in the network from the nearest TS address of TA, with it as passing through server.(negative effect when transmitting the RTP packet) to reduce Transmission Control Protocol

Sip terminal among the following embodiment is the Intranet user terminal in fire compartment wall or NAT back;

UserA is the sign of Sip terminal, is called the Sip Termination ID;

UserA@userA.domain, the back be the routing address that can be routed to this Sip terminal, also have in an embodiment,, this routing address can be the IP address, also can be domain name.

UserB is the public network user terminal, also can be the Intranet user terminal in fire compartment wall or NAT back;

The Sip server can send the data of calling terminal to called end for Sip is provided the server of service.

Fig. 3 A is that the inventive method Session Initiation Protocol data are to asymmetric form NAT with do not forbid the Sip terminal use registration process figure of the Firewall Traversing of udp protocol.

The user side application program is the Sip terminal, sends register requirement to passing through acting server TA, and calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address.

Passing through acting server TA passes NAT and/or fire compartment wall with the detection information (comprising the type of NAT and/or fire compartment wall etc.) of user profile and network environment and sends to and pass through dispatch server TDS, and by pass through dispatch server TDS request pass through strategic server TPS distribute to this registration Sip terminal one suitable pass through server and traversing method, pass through strategic server TPS and (comprise load according to passing through information that dispatch server TDS transmits and the state that passes through the TS of server, routing address etc.) return and pass through server TS and corresponding traversing method (being STUN in this example) what use.

After passing through dispatch server TDS and receiving this information, because this mode does not need to pass through server TS, so only transmit traversing method STUN to passing through acting server TA.After having determined the mode of passing through, passing through acting server TA utilizes the mode of passing through of STUN to send log-on message to the Sip server, pass through acting server TA and send being described as of calling terminal From of information: userA@register.domain, wherein userA is the Sip Termination ID, and register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@NAT/FW.domain, and wherein userA is the Sip Termination ID, NAT/FW.domain is fire compartment wall or NAT address.And set up and the logical channel that keeps a UDP C.1.

The Sip server returns the 200OK confirmation to passing through acting server TA, and calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@NAT/FW.domain, and wherein userA is the Sip Termination ID, NAT/FW.domain is fire compartment wall or NAT address.

Revise the affirmation information of the Sip server receive by passing through acting server TA, the content of calling terminal and called end is constant, change the signaling address into userA@userA.domain, wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address, and this 200OK is confirmed that packet is transmitted to the Sip terminal.

Fig. 3 B is that the inventive method Session Initiation Protocol data are to asymmetric form NAT with do not forbid the Sip terminal use invitation process figure of the Firewall Traversing of udp protocol.

The Sip terminal is sent to the Sip server and is invited request, and calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userB@register.domain, and wherein userB is the called end user ID, register.domain is the Sip server address; Signaling address Contact is: userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address; Media data packet address SDP is described as, IPA:PortA, the address of media data packet is Sip IP address of terminal: IPA, use be Sip terminal PortA port.

Pass through the invitation data bag that acting server TA transmits the Sip terminal, the description of calling terminal and called end does not change, and the signaling address modification is: userA@FW/NAT.domain, and wherein userA is the Sip Termination ID, FW/NAT.domain is the address of fire compartment wall or NAT; Media data packet SDP address modification is: IPFW/NAT:PortFW/NAT, and wherein IPFW/NAT is the IP address of fire compartment wall or NAT, PortFW/NAT is for using the port of fire compartment wall or NAT.

Like this, pass through UDP logic channel that acting server TA and Sip acting server set up a signaling C.1.

The Sip server returns a 200OK confirmation by fire compartment wall or NAT to passing through acting server TA, and calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userB@register.domain, and wherein userB is called end user ID (user on the public network), register.domain is the Sip server address; Signaling address Contact is: userB@userB.domain, and wherein userB is the called end user ID, userB.domain is the called subscriber address; Data packet addressed SDP is described as, IPB:PortB, the address of packet is called subscriber address: IPB, use be called subscriber's PortB port.

Pass through acting server TA and transmit this information to the Sip terminal use, the information of calling terminal and called end does not change in 200OK confirms, the signaling address is: userB@TA.domain, userB are the called end user ID, and TA.domain is for passing through acting server TA address; The media data packet address is: IPTA:PortTA, and IPTA is for passing through acting server IP address, and PortTA is for passing through the acting server port.

The Sip terminal transmits the RTP packet to passing through acting server TA, passes through acting server TA and C.2 transmits data mutually by the UDP media channel with apps server (Sip server) foundation.When having the media data transmission, only do not close media channel C.2.

Fig. 3 C be the inventive method Session Initiation Protocol data to asymmetric form NAT and the Sip terminal use of Firewall Traversing who does not forbid udp protocol by invitation process figure.

C.1 send the request of inviting to the Sip terminal by the Sip server by the UDP logic channel, packet information when acting server TA is passed through in arrival, calling terminal From is described as: userB@register.domain, wherein userB is the calling terminal user ID, and register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Signaling address Contact is: userB@userB.domain, and wherein userB is the calling terminal user ID, userB.domain is the calling terminal address; Media data packet address SDP is described as, IPB:PortB, the address of media data packet is calling terminal IP address: IPB, use be the PortB port of calling terminal.

Pass through acting server TA when the Sip terminal is transmitted this invitation request, calling terminal and called end information all do not have to change, be revised as the signaling address: userB@TA.domain, and wherein userB is the calling terminal user ID, TA.domain passes through the address of acting server TA for sending these data; Media data packet address SDP is described as, IPTA:PortTA, the address of media data packet is the IP address of passing through acting server TA: IPTA, use be the PortTA port that passes through acting server TA.

The Sip terminal is returned the 200OK confirmation to passing through acting server TA, calling terminal is identical with called end information with the invitation request calling terminal of called end information and reception, the signaling address is: userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address; Media data packet address SDP is described as IPA:PortA; The address of media data packet is Sip IP address of terminal: IPA, use be Sip terminal PortA port.

C.1 passing fire wall or NAT transmit this 200OK to the Sip server and confirm by the UDP logic channel by passing through acting server TA, calling terminal and called end information do not change, the signaling address is: userA@FW/NAT.domain, wherein userA is the Sip Termination ID, and FW/NAT.domain is the public network address of fire compartment wall or NAT; Media data packet address SDP is described as IPFW/NAT:PortFW/NAT; The address of media data packet is: the public network IP address of fire compartment wall or NAT (IPFW/NAT), what port used is the port (PortFW/NAT) of fire compartment wall or NAT.

The Sip terminal transmits the RTP packet to passing through acting server TA, passes through acting server TA and C.3 transmits data mutually by the UDP media logical channel with apps server (Sip server) foundation.When having the media data transmission, only do not close media channel C.3.

Fig. 3 D is that the inventive method Session Initiation Protocol data are to asymmetric form NAT with do not forbid the Sip terminal use log off procedure figure of the Firewall Traversing of udp protocol.

The Sip terminal transmits log-off message to passing through acting server TA, and calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Signaling address Contact is: userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address; The Sip terminal is 0 with the lifetime that is connected of Sip server.

Pass through acting server TA and transmit log-off message to the Sip server by fire compartment wall or NAT, calling terminal and called end information do not change, be revised as the signaling address: userA@NAT/FW.domain, userA is the Sip Termination ID, the signaling address is fire compartment wall or NAT address, and C.1 this information pass the server to Sip by the logic channel of UDP.

C.1, the Sip server returns the 200OK confirmation to passing through acting server TA by the logic channel of UDP, and the information of calling terminal, called end and signaling address is identical with the log-off message of its transmission.

Pass through acting server TA and return the 200OK confirmation to the Sip terminal use, calling terminal and called end information are constant, and be revised as the signaling address, userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address.After the Sip terminal use receives the confirmation information, promptly disconnect the UDP logic channel C.1.

Fig. 4 A is that the data of the inventive method Session Initiation Protocol are to symmetric form NAT and the non-Sip terminal use registration process figure that forbids the Firewall Traversing of udp protocol.

The user side application program is the Sip terminal, sends register requirement to passing through acting server TA, and calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address.

Passing through acting server passes NAT and/or fire compartment wall with the detection information of user profile and network environment and sends to and pass through dispatch server TDS, and by pass through dispatch server TDS request pass through strategic server TPS distribute to this registration Sip terminal use one suitable pass through server and traversing method, passing through strategic server TPS returns and passes through server TS and corresponding traversing method (using the TRUN method to pass through in this example) with what use according to passing through information that dispatch server TDS transmits and the state that passes through the TS of server.

After passing through dispatch server TDS and receiving this information, because this mode need be passed through server TS, so transmit traversing method TRUN to passing through acting server TA.After having determined the mode of passing through, pass through acting server TA and utilize the mode of passing through of TRUN passing through acting server TA and passing through and set up a logic channel between server TS C.4.

Pass through acting server TA and C.4 transmit log-on message to passing through server TS by logic channel, being described as of calling terminal From: userA@register.domain wherein, wherein userA is the Sip Termination ID, register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@TA.domain, and wherein userA is the Sip Termination ID, TA.domain is for passing through acting server TA address.

Pass through server TS and send this log-on message to the Sip server, being described as of calling terminal From: userA@register.domain wherein, wherein userA is the Sip Termination ID, register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@TS.domain, and wherein userA is the Sip Termination ID, TS.domain is for passing through proxy server address.

The Sip server returns 200OK and confirms to passing through server TS, being described as of calling terminal From: userA@register.domain wherein, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@TS.domain, and wherein userA is the Sip Termination ID, TS.domain is for passing through proxy server address.

Pass through server TS and C.4 transmit this 200OK affirmation to passing through acting server TA by the UDP logic channel, being described as of calling terminal From: userA@register.domain wherein, wherein userA is the Sip Termination ID, and register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@TA.domain, and wherein userA is the Sip Termination ID, TA.domain is for passing through proxy server address.

Pass through acting server TA and transmit this 200OK to the Sip terminal and confirm, being described as of calling terminal From: userA@register.domain wherein, wherein userA is the Sip Termination ID, register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address.

Fig. 4 B is that the inventive method Session Initiation Protocol data are to symmetric form NAT and the non-Sip terminal use invitation process figure that forbids the Firewall Traversing of udp protocol.

The Sip terminal is sent the invitation request to passing through acting server TA, and wherein, calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userB@register.domain, and wherein userB is the called end user ID, register.domain is the Sip server address; Signaling address Contact is: userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address; Media data packet address SDP is described as, IPA:PortA, the address of media data packet is Sip IP address of terminal: IPA, use be the PortA port of Sip terminal.

Pass through acting server TA and C.4 transmit message request to passing through server TS by the UDP logic channel, wherein, calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userB@register.domain, and wherein userB is the called end user ID, register.domain is the Sip server address; Signaling address Contact is: TA@TA.domain, and wherein TA passes through the acting server user ID, and TA.domain is for passing through acting server TA address; Media data packet address SDP is described as, IPTA:PortTA, the address of media data packet is the IP address of passing through acting server TA: IPTA, use be the PortTA port that passes through acting server TA.

Pass through server TS and transmit message request to the Sip server, wherein, calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userB@register.domain, and wherein userB is the called end user ID, register.domain is the Sip server address; Signaling address Contact is: TS@TS.domain, and wherein TS passes through server user ID, and TS.domain is for passing through server TS address; Media data packet address SDP is described as, IPTS:PortTS, the address of media data packet is the IP address of passing through server TS: IPTS, use be the PortTS port that passes through server TS.

The Sip server returns the 200OK confirmation to passing through server TS, and wherein, calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userB@register.domain, and wherein userB is the called end user ID, register.domain is the Sip server address; Signaling address Contact is: userB@userB.domain, and wherein userB is the called end user ID, userB.domain is the called end address; Media data packet address SDP is described as, IPB:PortB, the address of media data packet is the IP address of called end: IPB, use be the PortB port of called end.

Pass through server TS and C.4 transmit this 200OK confirmation to passing through acting server TA by the UDP logic channel, wherein, calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userB@register.domain, and wherein userB is the called end user ID, register.domain is the Sip server address; Signaling address Contact is: userB@TS.domain, and wherein userB is the called end user ID, TS.domain is for passing through server TS address; Media data packet address SDP is described as, IPTS:PortTS, the address of media data packet is the IP address of passing through server TS: IPTS, use be the PortTS port that passes through server TS.

Pass through acting server TA and transmit this 200OK confirmation to the Sip terminal, wherein, calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userB@register.domain, and wherein userB is the called end user ID, register.domain is the Sip server address; Signaling address Contact is: userB@TA.domain, and wherein userB is the called end user ID, TA.domain is for passing through acting server TA address; Media data packet address SDP is described as, IPTA:PortTA, the address of packet is the IP address of passing through acting server TA: IPTA, use be the PortTA port that passes through acting server TA.

The Sip terminal with pass through acting server TA and transmit the RTP media data packet by UDP.Pass through acting server TA and pass through server TS and set up a media logical channel C.5, transmit the RTP media data packet.Pass through server TS and Sip server and transmit the RTP media data packet by UDP.

Fig. 4 C be the data of the inventive method Session Initiation Protocol to the Sip terminal use of symmetric form NAT and non-Firewall Traversing of forbidding udp protocol by invitation process figure.

The Sip server sends the invitation solicited message to passing through server TS, and wherein, calling terminal From is described as: userB@register.domain, and wherein userB is the calling terminal user ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Signaling address Contact is: userB@userB.domain, and wherein userB is the calling terminal user ID, userB.domain is the calling terminal address; Media data packet address SDP is described as, IPB:PortB, the address of packet is calling terminal IP address: IPB, use be the PortB port of calling terminal.

Pass through server TS and C.4 transmit message request to passing through acting server TA by the UDP logic channel, wherein, calling terminal From is described as: userB@register.domain, and wherein userB is the calling terminal user ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Signaling address Contact is: userB@TS.domain, and wherein userB is the calling terminal user ID, TS.domain is for passing through server TS address; Media data packet address SDP is described as, IPTS:PortTS, the address of media data packet is the IP address of passing through server TS: IPTS, use be the PortTS port that passes through server TS.

Pass through acting server TA and transmit message request to the Sip terminal, wherein, calling terminal From is described as: userB@register.domain, and wherein userB is the calling terminal user ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is Si terminal use ID, register.domain is the Sip server address; Signaling address Contact is: userB@TA.domain, and wherein userB is the calling terminal user ID, TA.domain is for passing through acting server TA address; Media data packet address SDP is described as, IPTA:PortTA, the address of media data packet is the IP address of passing through acting server TA: IPTA, use be the PortTA port that passes through acting server TA.

The Sip terminal is returned the 200OK confirmation to passing through acting server TA, and wherein, calling terminal From is described as: userB@register.domain, and wherein userB is the calling terminal user ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Signaling address Contact is: userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address; Media data packet address SDP is described as, IPA:PortA, the address of media data packet is the IP address of Sip terminal: IPA, use be the PortA port of Sip terminal.

Pass through acting server TA and C.4 transmit this 200OK confirmation to passing through server TS by the UDP logic channel, wherein, calling terminal From is described as: userB@register.domain, and wherein userB is the calling terminal user ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Signaling address Contact is: userA@TA.domain, and wherein userA is the Sip Termination ID, TA.domain is for passing through acting server TA address; Media data packet address SDP is described as, IPTA:PortTA, the address of media data packet is the IP address of passing through acting server TA: IPTA, use be the PortTA port that passes through acting server TA.

Pass through server TS and transmit this 200OK confirmation to the Sip server, wherein, calling terminal From is described as: userB@register.domain, and wherein userB is calling terminal end subscriber ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Signaling address Contact is: userA@TS.domain, and wherein useA is the Sip Termination ID, TS.domain is for passing through server TS address; Media data packet address SDP is described as, IPTS:PortTS, the address of media data packet is the IP address of passing through server TS: IPTS, use be the PortTS port that passes through server TS.

The Sip terminal with pass through acting server TA and transmit the RTP media data packet by UDP.Pass through acting server TA and pass through server TS and set up a media logical channel C.6, transmit the RTP media data packet.Pass through server TS and Sip server and transmit the RTP media data packet by UDP.When Sip terminal use userA and calling terminal user userB do not have media data to transmit, then close media channel C.6.

Fig. 4 D is that the inventive method Session Initiation Protocol data are to symmetric form NAT with do not forbid the Sip terminal use log off procedure figure of the Firewall Traversing of udp protocol.

The Sip terminal transmits log-off message to passing through acting server TA, and calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Signaling address Contact is: userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address; The Sip terminal is 0 with the lifetime that is connected of Sip server.

C.4 passing fire wall or NAT transmit log-off message to passing through server TS by the UDP logic channel to pass through acting server TA, calling terminal and called end do not change, be revised as the signaling address: userA@TA.domain, userA is the Sip Termination ID, the signaling address is the address of passing through acting server TA, and life cycle is 0; C.4, this information transmits by the logic channel of UDP.

Pass through server TS and transmit log-off message to the Sip server, calling terminal and called end do not change, and be revised as the signaling address: userA@TS.domain, userA are the Sip Termination ID, and the signaling address is the address of passing through server TS, and life cycle is 0.

The Sip server returns the 200OK confirmation to passing through server TS, and calling terminal, called end and signaling address are all identical with the log-off message that it receives.

C.4, passing through the logic channel of server TS by UDP returns 200OK and confirms to passing through acting server TA, calling terminal and called end information are constant, be revised as the signaling address: userA@TA.domain, userA is the Sip Termination ID, the signaling address is the address of passing through acting server TA, and life cycle is 0.

Pass through acting server TA and return the 200OK affirmation to the Sip terminal use, calling terminal and called end information are constant, and be revised as the signaling address, userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address; Life cycle is 0.After the Sip terminal use receives the confirmation information, promptly disconnect the UDP logic channel C.4.

Fig. 5 A is the inventive method Session Initiation Protocol data to symmetric form NAT and forbids the Sip terminal use registration process figure of the Firewall Traversing of udp protocol.

The user side application program is the Sip terminal, sends register requirement to passing through acting server TA, and calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address.

Passing through acting server TA passes NAT and/or fire compartment wall with the detection information of user profile and network environment and sends to and pass through dispatch server TDS, and pass through strategic server TPS and distribute to this registered user and hold a suitable server and the traversing method of passing through by passing through dispatch server TDS request, passing through strategic server TPS returns and passes through server TS and traversing method (being HTTP/TCP channel mode in this example) accordingly with what uses according to passing through information that dispatch server TDS transmits and the state that passes through the TS of server.

After passing through dispatch server TDS and receiving this information, because this mode need be passed through server TS, so transmit HTTP/TCP channel traversing method to passing through acting server TA.After having determined the mode of passing through, pass through acting server TA and pass through server TS and set up a HTTP/TCP channel C.7.

Pass through acting server TA and C.7 transmit log-on message to passing through server TS by channel, being described as of calling terminal From: userA@register.domain wherein, wherein userA is the Sip Termination ID, register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@TA.domain, and wherein userA is the Sip Termination ID, TA.domain is the address of passing through acting server TA.

Pass through server TS and send this log-on message to the Sip server, wherein, calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@TS.domain, and wherein userA is the Sip Termination ID, TS.domain is the address of passing through acting server TS.

The Sip server returns the 200OK confirmation to passing through server TS, and wherein, calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@TS.domain, and wherein userA is the Sip Termination ID, TS.domain is the address of passing through acting server TS.

Pass through server TS and C.7 transmit this 200OK affirmation to passing through acting server TA by the HTTP/TCP channel, wherein, calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@TA.domain, and wherein userA is the Sip Termination ID, TA.domain is the address of passing through acting server TA.

Pass through acting server TA and transmit this 200OK affirmation to the Sip terminal, wherein, calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; The description of called end To is consistent with calling terminal; Signaling address Contact is: userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address.

Fig. 5 B is the inventive method Session Initiation Protocol data to symmetric form NAT and forbids the Sip terminal use invitation process figure of the Firewall Traversing of udp protocol.

The Sip terminal is sent the invitation request to passing through acting server TA, and wherein, calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userB@register.domain, and wherein userB is the called end user ID, register.domain is the Sip server address; Signaling address Contact is: userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address; Media data packet address SDP is described as, IPA:PortA, the address of packet is Sip IP address of terminal: IPA, use be the PortA port of Sip terminal.

Pass through acting server TA and C.7 transmit message request to passing through server TS by the TCP/HTTP channel, wherein, calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userB@register.domain, and wherein userB is the called end user ID, register.domain is the Sip server address; Signaling address Contact is: userA@TA.domain, and wherein userA is the Sip Termination ID, TA.domain is for passing through acting server TA address; Media data packet address SDP is described as, IPTA:PortTA, the address of packet is the IP address of passing through acting server TA: IPTA, use be the PortTA port that passes through acting server TA.

Pass through server TS and transmit message request to the Sip server, wherein, calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userB@register.domain, and wherein userB is the called end user ID, register.domain is the Sip server address; Signaling address Contact is: userA@TS.domain, and wherein userA is the Sip Termination ID, TS.domain is for passing through server TS address; Media data packet address SDP is described as, IPTS:PortTS, the address of media data packet is the IP address of passing through server TS: IPTS, use be the PortTS port that passes through server TS.

The Sip server returns the 200OK confirmation to passing through server TS, and wherein, calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userB@register.domain, and wherein userB is the called end user ID, register.domain is the Sip server address; Signaling address Contact is: userB@userB.domain, and wherein userB is the called end user ID, userB.domain is the called end address; Media data packet address SDP is described as, IPB:PortB, the called end IP address, address of media data packet: IPB, use be the PortB port of called end.

Pass through server TS and C.7 transmit this 200OK confirmation to passing through acting server TA by the TCP/HTTP channel, wherein, calling terminal From is described as: TS@register.domain, and wherein TS passes through server user ID, and register.domain is the Sip server address; Called end To is described as: userB@register.domain, and wherein userB is the called end user ID, register.domain is the Sip server address; Signaling address Contact is: userB@TS.domain, and wherein userB is the called end user ID, TS.domain is for passing through server TS address; Media data packet address SDP is described as, IPTS:PortTS, the address of media data packet is the IP address of passing through server TS: IPTS, use be the PortTS port that passes through server TS.

Pass through acting server TA and transmit this 200OK confirmation to the Sip terminal, wherein, calling terminal From is described as: userA@register.domain, and Sip Termination ID wherein, register.domain is the Sip server address; Called end To is described as: userB@register.domain, and wherein userB is the called end user ID, register.domain is the Sip server address; Signaling address Contact is: userB@TA.domain, and wherein userB is the called end user ID, TA.domain is for passing through acting server TA address; Media data packet address SDP is described as, IPTA:PortTA, the address of media data packet is the IP address of passing through acting server TA: IPTA, use be the PortTA port that passes through acting server TA.

Pass through acting server TA and pass through and set up a TCP/HTTP media channel between the server TS C.8, and utilize and C.8 transmit the multi-medium data bag.When not having media information to transmit between Sip terminal and the Sip acting server, then close this TCP/HTTP channel C.8, but C.7 the TCP/HTTP channel keeps also connecting.

Fig. 5 C is the inventive method Session Initiation Protocol data to symmetric form NAT and the Sip terminal use of Firewall Traversing that forbids udp protocol by invitation process figure.

The Sip server sends the invitation solicited message to passing through server TS, and wherein, calling terminal From is described as:

UserB@register.domain, wherein userB is the calling terminal user ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Signaling address Contact is: userB@userB.domain, and wherein userB is the calling terminal user ID, userB.domain is the calling terminal address; Media data packet address SDP is described as, IPB:PortB, the address of media data packet is calling terminal IP address: IPB, use be the PortB port of calling terminal.

Pass through server TS and C.7 transmit message request to passing through acting server TA by the TCP/HTTP channel, wherein, calling terminal From is described as: userB@register.domain, and wherein userB is the calling terminal user ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Signaling address Contact is: userB@TS.domain, and wherein userB is the calling terminal user ID, TS.domain is for passing through server TS address; Media data packet address SDP is described as, IPTS:PortTS, the address of media data packet is the IP address of passing through server TS: IPTS, use be the PortTS port that passes through server TS.

Pass through acting server TA and transmit message request to the Sip terminal, wherein, calling terminal From is described as: userB@register.domain, and wherein userB is the calling terminal user ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is Si terminal use ID, register.domain is the Sip server address; Signaling address Contact is: userB@TA.domain, and wherein userB is the calling terminal user ID, TA.domain is for passing through acting server TA address; Media data packet address SDP is described as, IPTA:PortTA, the address of media data packet is the IP address of passing through acting server TA: IPTA, use be the PortTA port that passes through acting server TA.

The Sip terminal is returned the 200OK confirmation to passing through acting server TA, and wherein, calling terminal From is described as: userB@register.domain, and wherein userB is the calling terminal user ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Signaling address Contact is: userA@userA.domain, and wherein useA is the Sip Termination ID, userA.domain is the Sip terminal address; Media data packet address SDP is described as, IPA:PortA, the address of media data packet is the IP address of Sip terminal: IPA, use be the PortA port of Sip terminal.

Pass through acting server TA and C.7 transmit this 200OK confirmation to passing through server TS by the TCP/HTTP channel, wherein, calling terminal From is described as: userB@register.domain, and wherein userB is the calling terminal user ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Signaling address Contact is: userA@TA.domain, and wherein userA is the Sip Termination ID, TA.domain is for passing through acting server TA address; Media data packet address SDP is described as, IPTA:PortTA, the address of media data packet is the IP address of passing through acting server TA: IPTA, use be the PortTA port that passes through acting server TA.

Pass through server TS and transmit this 200OK confirmation to the Sip server, wherein, calling terminal From is described as: userB@register.domain, and wherein userB is the calling terminal user ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Signaling address Contact is: userA@TS.domain, and wherein useA is the Sip Termination ID, TS.domain is for passing through server TS address; Media data packet address SDP is described as, IPTS:PortTS, the address of media data packet is the IP address of passing through server TS: IPTS, use be the PortTS port that passes through server TS.

Pass through acting server TA and pass through and set up a TCP/HTTP channel between the server TS C.9, and utilize and C.9 transmit the multi-medium data bag.When not having media information to transmit between Sip terminal and the Sip server, then close this TCP/HTTP channel C.9, but C.7 the TCP/HTTP channel keeps also connecting.

Fig. 5 D is the inventive method Session Initiation Protocol data to symmetric form NAT and forbids the Sip terminal use log off procedure figure of the Firewall Traversing of udp protocol.

The Sip terminal transmits log-off message to passing through acting server TA, and calling terminal From is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Called end To is described as: userA@register.domain, and wherein userA is the Sip Termination ID, register.domain is the Sip server address; Signaling address Contact is: userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address; The Sip terminal is 0 with the lifetime that is connected of Sip server.

C.7 passing fire wall or NAT transmit log-off message to passing through server TS by the TCP/HTTP channel to pass through acting server TA, calling terminal and called end do not change, be revised as the signaling address: userA@TA.domain, userA is the Sip Termination ID, the signaling address is the address of passing through acting server TA, and the lifetime is 0.

Pass through server TS and transmit log-off message to the Sip server, calling terminal and called end do not change, and be revised as the signaling address: userA@TS.domain, userA are the Sip Termination ID, and the signaling address is the address of passing through server TS, and the lifetime is 0.

The Sip server returns the 200OK confirmation to passing through server TS, and calling terminal, called end and signaling address are all constant, and the lifetime is 0.

C.7 passing fire wall and NAT return 200OK and confirm to passing through acting server TA by the TCP/HTTP channel to pass through server TS, calling terminal and called end information are constant, be revised as the signaling address: userA@TA.domain, userA is the Sip Termination ID, the signaling address is the address of passing through acting server TA, and the lifetime is 0.

Pass through acting server TA and return the 200OK affirmation to the Sip terminal use, calling terminal and called end information are constant, and be revised as the signaling address, userA@userA.domain, and wherein userA is the Sip Termination ID, userA.domain is the Sip terminal address; Lifetime is 0.After the Sip terminal use receives the confirmation information, promptly disconnect the TCP/HTTP channel C.7.

Beneficial effect of the present invention is, be applicable to all types of NAT and/or fire compartment wall, and will pass through with application software in separate, application software does not need to support that any additional agreement just can passing fire wall and NAT, spanning platform is selected traversing method automatically and is passed through server, the feasible load balance that passes through server, optimize Internet resources, and the degree of safety of network is loss not, by operator to pass through the strategy configuration, can control flexibly and pass through, for having greatly improved property all in operation and the control.

Above embodiment only is used to illustrate the present invention, but not is used to limit the present invention.

Claims (24)

1. a traversing method that is used for passing through network address switching device and/or fire compartment wall is characterized in that comprising the steps:
Step 1, user side sends to spanning platform with the user side network environment information by network address translation apparatus and/or fire compartment wall by passing through the agency;
Step 2, described spanning platform is according to this user side network environment information and pass through policy information, determines the mode of passing through and will pass through mode information to return to described user side;
Step 3, described user side uses the described mode of passing through by passing through the agency, makes described user side and corresponding application server communication.
2. traversing method according to claim 1 is characterized in that, described step 2 comprises:
Pass through the scheduling step, the network environment information of described user side that will be by passing through the agency is as passing through the input of strategy step, and the result that will pass through strategy step passes to described user side by passing through the agency;
Pass through strategy step, according to the network environment information of described user side with pass through policy information and determine the mode of passing through, and this is passed through mode information as described input of passing through the scheduling step.
3. traversing method according to claim 2 is characterized in that, also comprises passing through the load balance step, gathers to pass through the information of server and as described input of passing through strategy step;
When determining to pass through mode, use if desired and pass through server, then gather the pass through server of information that passes through server, and this information and the described mode information of passing through are together passed through the input of dispatching step as described to determine to use.
4. traversing method according to claim 3, it is characterized in that, described pass through strategy step according to the user side network environment information, pass through policy information and whether use and pass through server info, determining that mode of passing through and of need adopt in case of necessity pass through server, and with above-mentioned result as described input of passing through the scheduling step.
5. traversing method according to claim 3, it is characterized in that, described pass through strategy step according to the user side network environment information, pass through server info and pass through policy information, to determine that the mode of passing through and two pass through server, one of them passes through the packet that server is used to transmit carrier signaling, another passes through the packet that server is used to transmit the carrying data, and with above-mentioned result as described input of passing through the scheduling step.
6. according to claim 3 or 4 or 5 described traversing methods, it is characterized in that also comprising operator's management process,, and formulate the described policy information that passes through by the described spanning platform of operator's management control.
7. traversing method according to claim 6, it is characterized in that described pass through policy information comprise the designated user end use with its route distance near pass through server, perhaps the working load minimum passes through server.
8. according to claim 3 or 4 or 5 described traversing methods, it is characterized in that also comprising and pass through positioning step, store described strategy, described spanning platform, the described information of passing through server and described apps server of passing through, provide relevant information in the strategy step described passing through.
9. according to claim 3 or 4 or 5 described traversing methods, it is characterized in that user side when not having data to transmit, then keeps signaling channel by passing through the agency and passing through server and set up signaling channel and data channel, removes data channel; When user side is nullified, then remove signaling channel and data channel.
10. according to claim 3 or 4 or 5 described traversing methods, it is characterized in that described information of passing through server comprises loading condition that passes through server and the address information of passing through server.
11., it is characterized in that described user side network environment is meant the type of network address translation apparatus of user side and/or the type of fire compartment wall according to claim 1 or 2 or 3 or 4 or 5 described traversing methods.
12. a spanning platform that is used for passing through network address switching device and/or fire compartment wall is characterized in that comprising:
Pass through strategic server, be used for passing through policy information and determining the mode of passing through according to the user side network environment information;
Pass through dispatch server, be connected with described user side with passing through to act on behalf of by network address translation apparatus and/or fire compartment wall, the other end is connected with the described strategic server that passes through, be used for sending described user side network environment information to the described strategic server that passes through, and described result of passing through strategic server is passed through the agency and passed to described user side by described.
13. spanning platform according to claim 12, it is characterized in that described spanning platform also comprises: pass through the load balance server, be connected with the described strategic server that passes through, the other end with pass through server and be connected, be used to gather the information of passing through server and pass to the described strategic server that passes through;
Pass through server, be connected, after described spanning platform decision is passed through server and passed through mode, realize communicating by letter between described user side and the apps server with the load balance server that passes through in the described spanning platform.
14. spanning platform according to claim 13, it is characterized in that described spanning platform also comprises: operator's management server, respectively with describedly pass through dispatch server, pass through strategic server, pass through the load balance server and be connected, be used for the described spanning platform of operator's management control, and formulate and pass through strategy.
15. spanning platform according to claim 14, it is characterized in that described spanning platform also comprises: one passes through location-server, with describedly pass through strategic server, operator's management server is connected, storage is passed through strategy, spanning platform, is passed through the information of server and apps server, provides relevant information to the described strategic server that passes through.
16., it is characterized in that described spanning platform is a computer according to any described spanning platform among the claim 12-15.
17. a ride through system that is used for passing through network address switching device and/or fire compartment wall is characterized in that comprising:
User side is communicated by letter with network address translation apparatus and/or fire compartment wall by passing through the agency;
Spanning platform, be connected with described user side with passing through to act on behalf of by network address translation apparatus and/or fire compartment wall, according to the user side network environment, pass through policy information, determine that user side passes through mode accordingly and this is passed through mode information returns to described user side;
Apps server is passed through the agency and is connected with described user side with described by described network address translation apparatus and/or fire compartment wall, provides service to described user side.
18. ride through system according to claim 17 is characterized in that described spanning platform comprises:
Pass through strategic server, be used for according to described user side network environment information and pass through policy information and determine the mode of passing through;
Pass through dispatch server, pass through the agency and be connected with described by described network address translation apparatus and/or fire compartment wall with described user side, the other end is connected with the described strategic server that passes through, be used for sending described user side network environment information to the described strategic server that passes through, and described result of passing through strategic server is passed through the agency and passed to described user side by described.
19. ride through system according to claim 18, it is characterized in that described spanning platform also comprises passes through the load balance server, be connected with the described strategic server that passes through, the other end with pass through server and be connected, be used to gather the information of passing through server and pass to the described strategic server that passes through;
Pass through server, be connected, after described spanning platform decision is passed through server and passed through mode, realize communicating by letter between described user side and the described apps server with the load balance server that passes through in the described spanning platform.
20. ride through system according to claim 19, it is characterized in that also comprising operator's management server, respectively with describedly pass through dispatch server, pass through strategic server, pass through the load balance server and be connected, be used for the described spanning platform of operator's management control, and formulate and pass through strategy.
21. ride through system according to claim 20, it is characterized in that also comprising and pass through location-server, with describedly pass through strategic server, operator's management server is connected, storage is passed through strategy, spanning platform, is passed through the information of server and apps server, provides relevant information to the described strategic server that passes through.
22. ride through system according to claim 17 is characterized in that describedly passing through the agency and one independently passing through acting server with respect to user side, is used for acting on behalf of the data of transmitting between described user side and other equipment of network.
23. ride through system according to claim 17, it is characterized in that described pass through the agency be one be integrated in user side pass through agency service software, be used for acting on behalf of the data of transmitting between described user side and other equipment of network.
24., it is characterized in that described spanning platform is a computer according to any described ride through system among the claim 17-21.
CNB2006100579325A 2006-02-28 2006-02-28 A kind of network address translation and/or firewall spanning platform, system and method thereof CN100539504C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2006100579325A CN100539504C (en) 2006-02-28 2006-02-28 A kind of network address translation and/or firewall spanning platform, system and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2006100579325A CN100539504C (en) 2006-02-28 2006-02-28 A kind of network address translation and/or firewall spanning platform, system and method thereof

Publications (2)

Publication Number Publication Date
CN101030865A CN101030865A (en) 2007-09-05
CN100539504C true CN100539504C (en) 2009-09-09

Family

ID=38715964

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2006100579325A CN100539504C (en) 2006-02-28 2006-02-28 A kind of network address translation and/or firewall spanning platform, system and method thereof

Country Status (1)

Country Link
CN (1) CN100539504C (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2193649B1 (en) * 2007-09-28 2012-11-21 Siemens Enterprise Communications GmbH & Co. KG Method and device for connecting packet-oriented communication terminals
CN101217482B (en) * 2008-01-18 2010-09-08 杭州华三通信技术有限公司 A method traversing NAT sending down strategy and a communication device
GB2458279A (en) 2008-03-11 2009-09-16 Nec Corp Network access control via mobile terminal gateway
CN102118363A (en) * 2009-12-31 2011-07-06 北京大唐高鸿数据网络技术有限公司 VoIP (Voice over Internet Protocol) system with proxy mechanism and communication method thereof
CN102196057B (en) * 2010-03-03 2015-11-25 腾讯科技(深圳)有限公司 A kind of method and device determining NAT type
CN101873324B (en) * 2010-06-22 2013-11-06 北京神州泰岳软件股份有限公司 Method for passing through firewall
CN102340520B (en) * 2010-07-20 2014-06-18 上海未来宽带技术股份有限公司 Private network detection and traverse compounding method for P2P (Peer-to-Peer) network application system
CN101895559B (en) * 2010-08-09 2013-06-12 北京中创信测科技股份有限公司 Method for passing through network and firewall for agency
CN102318323B (en) * 2011-07-30 2013-10-02 华为技术有限公司 NAT disposal method, equipment and system of call between private network and off-network clients
TWI434595B (en) * 2011-11-09 2014-04-11 Quanta Comp Inc Connection establishing management methods for use in a network system and systems thereof
CN103259791B (en) * 2013-04-28 2016-03-09 华为技术有限公司 One passes through communication route selecting method, terminal and system
US9432330B2 (en) 2013-05-29 2016-08-30 Huawei Technologies Co., Ltd. Data interaction method, apparatus, and system
CN103347099B (en) * 2013-05-29 2016-08-10 华为技术有限公司 A kind of method of data interaction, Apparatus and system
CN105282264B (en) * 2014-07-17 2019-01-25 中国电信股份有限公司 Method, terminal, NPS and the system of TCP communication are carried out under asymmetric NAT environment
CN106331115A (en) * 2016-08-26 2017-01-11 深圳市同为数码科技股份有限公司 Distributed expandable server system in support of multi-device connection
CN106507028A (en) * 2016-11-29 2017-03-15 四川长虹电器股份有限公司 A kind of Intranet in television video call penetrates direct-connected method
CN106657438A (en) * 2016-12-05 2017-05-10 深圳市任子行科技开发有限公司 Anti-tracing network proxy method and system
CN110830454B (en) * 2019-10-22 2020-11-17 远江盛邦(北京)网络安全科技股份有限公司 Security equipment detection method for realizing TCP protocol stack information leakage based on ALG protocol

Also Published As

Publication number Publication date
CN101030865A (en) 2007-09-05

Similar Documents

Publication Publication Date Title
US9661082B2 (en) Token related apparatuses for deep packet inspection and policy handling
US10693919B2 (en) Distributed connectivity policy enforcement with ICE
US8804705B2 (en) System and method for configuring an IP telephony device
US9210197B2 (en) Packet-switched network-to-network interconnection interface
Ford et al. Issues with IP address sharing
JP5972398B2 (en) ICE-based NAT traversal
US9350699B2 (en) Scalable NAT traversal
US8499083B2 (en) Relay device and communication system
EP1832069B1 (en) Voip network infrastructure components
CA2660744C (en) Routing and quality decision in mobile ip networks
US9497168B2 (en) Method and apparatus for supporting communications between a computing device within a network and an external computing device
US6687245B2 (en) System and method for performing IP telephony
US7936750B2 (en) Packet transfer device and communication system
US7068598B1 (en) IP packet access gateway
EP1338127B1 (en) Communications system
CN107113342B (en) Relay optimization using software defined networks
KR100360274B1 (en) Method for supporting general ip telephone system in nat based private network
CN1327679C (en) Method and apparatus to permit data transmission to transverse firewalls
US6567851B1 (en) Multicast-session-management device
CN1890945B (en) Communication systems for traversing firewalls and network address translation (NAT) installations
US7620033B2 (en) Method for optimal path selection in traversal of packets through network address translators
CN100477650C (en) IP interconnected gateway in next-generation of Internet and method for interconnecting IP domain
US7522594B2 (en) Method and apparatus to permit data transmission to traverse firewalls
CN107409089A (en) Business function login mechanism and ability authorized index
US7881198B2 (en) Method for managing service bindings over an access domain and nodes therefor

Legal Events

Date Code Title Description
PB01 Publication
C06 Publication
SE01 Entry into force of request for substantive examination
C10 Entry into substantive examination
GR01 Patent grant
C14 Grant of patent or utility model
ASS Succession or assignment of patent right

Owner name: NOKIA SIEMENS NETWORKS TECHNOLOGY (BEIJING) CO., L

Free format text: FORMER OWNER: NOKIA SIEMENS NETWORKS SYSTEM TECHNOLOGY (BEIJING) CO., LTD.

Effective date: 20111118

TR01 Transfer of patent right

Effective date of registration: 20111118

Address after: 100007 Beijing city Dongcheng District Dongzhimen South Street No. 3 7 floor

Patentee after: Siemens Communication Networks Ltd., Beijing

Address before: 100016 Building No. 14, Jiuxianqiao Road, Chaoyang District, Beijing, 51

Patentee before: Siemens (China) Co., Ltd.

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 100016 CHAOYANG, BEIJING TO: 100007 DONGCHENG, BEIJING